Data protection

We attach great importance to the protection of your personal data when you visit our website. In principle, we collect as little personal data as absolutely necessary. In doing so, your data is protected in compliance with the relevant legislation.

The Federal Institute for Public Health has implemented technical and organisational measures to guarantee that data protection regulations are complied with.

The use of contact information published on our website by third parties to send unsolicited advertising or information material is expressly forbidden. We expressly reserve the right to take legal steps in the event of unsolicited advertising being sent to us.

I. Name and address of controller

The controller within the meaning of the General Data Protection Regulation, the data protection laws of other EU member states, and other data protection legislation is:
Federal Institute for Public Health (BIOEG)
Maarweg 149 – 161
50825 Cologne
Germany

Tel. +49 (0) 221-8992-0
E-mail: poststelle(at)bioeg.de 
Website: www.bioeg.de

II. Contact data of data protection officer

The BIOEG’s data protection officer can be contacted at:
Federal Institute for Public Health
- Data Protection Officer
Maarweg 149 – 161
50825 Cologne
Germany

Tel. +49 (0) 221-8992-0
E-mail: datenschutzbeauftragter(at)bioeg.de

III. General information on data processing

1. Scope of personal data processing

In principle, we only collect and utilise personal data from our users insofar is as this necessary for the provision of a functional website along with our content and services. As a rule, we only collect and utilise personal data from our users with their consent. An exception applies in those cases where prior consent cannot be obtained for legitimate reasons and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

Art. 6 no. 1 lit. a EU General Data Protection ACT (GDPR) serves as the legal basis for the processing of personal data in cases where we obtain the consent of the data subject concerned.

Art. 6 no. 1 lit. b GDPR serves as the legal basis for the processing of personal data necessary for the performance of a contract to which the data subject is a party. The same applies to data processing necessary for the implementation of any measures required before concluding a contract.

Art. 6 no. 1 lit. c GDPR serves as the legal basis for the processing of personal data necessary for compliance with a legal obligation to which our authority is subject.

Art. 6 no. 1 lit. d GDPR serves as the legal basis for the processing of personal data necessary to protect the vital interests of the data subject or another natural person.

Art. 6 no. 1 lit. e GDPR serves as the legal basis for the processing of personal data for the performance of a task in the public interest or in the exercise of official authority vested in the controller.

3. Data erasure and storage period

The data subject's personal data will be erased or blocked as soon as the purpose for which it was stored ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or erased when a storage period prescribed in the aforementioned legislation expires, unless the data has to be stored for a longer period in order to conclude or execute a contract.

IV. Provision of website and generation of log files

1. Description and scope of data processing

Whenever our website is accessed, our system automatically collects data and information from the accessing computer system.

The data collected constitutes the following:

  1. Browser type and version
  2. Operating system used
  3. Website from which you are visiting our website (referrer URL)
  4. Pages and files you access on our website
  5. If applicable, the website you visit after ours (by clicking an external link on our website)
  6. Date and time at which you accessed our website
  7. Your internet protocol (IP) address, anonymised and truncated

This data is stored in our system's log files. It is not stored together with any of the user's personal data.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 no. 1 lit. e GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to facilitate the delivery of the website to the user's computer. In this situation, the user’s IP address must be stored for the duration of the session.

4. Storage period

Your data is erased as soon as it is no longer required for the purpose for which it was collected. With regard to data collected for the purpose of displaying this website, this is the case when the respective session ends.

With regard to data stored in log files, this is the case after no more than fourteen days. Data may also be stored for longer periods. The user's IP address is stored while the log files are being generated so that it can no longer be assigned to the accessing client.

5. Right to object and right to erasure

The collection of data for the provision of the website and the storage of data in log files are absolutely essential for the operation of the website.

V. Use of cookies

1. Description and scope of data processing

We use cookies to make our website more user-friendly. For certain elements on our website, it must be possible to identify the accessing browser after the user had switched to another page.

Cookies are text files stored in the web browser or by the web browser on the user’s computer system. If the user accesses a website, a cookie can be stored in the user's operating system. This cookie contains a distinguishing string of characters that make it possible to identify the browser when the user revisits the website.

If your browser (e.g. Internet Explorer, Mozilla, Opera) is configured to accept cookies, our website will store up to 4 cookies on your computer.  1 cookie is for the utilisation of service functions.

Up to 3 additional cookies are stored by our web analysis tool “Matomo”.

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6 no. 1 lit. e GDPR.

3. Purpose of data processing

Technically essential cookies are utilised to make the use of our website easier. Some of the functions on our website cannot be provided without the use of cookies. In these cases, it is essential that the browser is recognised when the user accesses another page.

Analysis cookies are used to improve the quality of our website and its content. Analysis cookies enable us to find out how the website is used, as a result of which we can continually optimise our services.

4. Duration of storage, possibility of objection and removal

Cookies are stored on the user's computer and transmitted by it to our website. As a user, you therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically.

Storage duration of cookies: see cookie list under point 5.1

You can delete all cookies manually or set your browser so that it automatically deletes all cookies at the end of a session. Please note that the Matomo deactivation cookie (see section VI. Web tracking/web analysis, subsection 5.) will then also be deleted and you will have to object to the collection of statistical data again the next time you visit our website.

If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

VI Web tracking/web analysis

1. description and scope of data processing

BIOEG uses the web analysis tool ‘Matomo’ (formerly Piwik), which is operated on our own server, to optimise its website. The use of ‘Matomo’ complies with data protection regulations in accordance with the recommendations of the Independent Centre for Data Protection Schleswig-Holstein (ULD). The IP addresses are immediately anonymised by Matomo, making it impossible to identify visitors. The anonymous statistical data is stored separately from any personal data you may have entered on the website and does not allow any conclusions to be drawn about a specific person.

The following data is stored:

  • 1 byte of the IP address of the user's accessing system
  • Time and duration of the visit
  • Pages and files accessed during the visit
  • Website from which the user accessed the website (referrer)
  • Search terms used by users to access the website and search terms used in internal searches
  • Access to external websites that are accessed via links on our site
  • System information of the users (operating system, browser, set browser language, device type, screen resolution)

2 Legal basis for data processing

The legal basis for the processing of the aforementioned data is Art. 6 para. 1 lit. e GDPR.

3 Purpose of the data processing

The processing of the aforementioned data enables us to analyse the surfing behaviour of users on our website. By analysing the data obtained, we are able to compile information about the use of the individual components of our website. This enables us to constantly improve the content and user-friendliness of our website so that users can access the information they need quickly and efficiently. The need to design the website in line with requirements also results from the obligation of public authorities to use budget funds economically within the scope of their statutory duties.

By anonymising the IP address, the interest of users in the protection of their personal data is adequately taken into account.

4 Duration of storage

The anonymous log data is deleted as soon as it is no longer required for our recording purposes. This is the case after 90 days. Thereafter, only the reports generated from it are processed.

5 Possibility of objection and removal

You have the option here to object to the recording of your visit for analysis purposes:

Your visit is currently not recorded by Matomo. You can change your decision here at any time and allow us to anonymously record and analyse your visit. The recording takes place without cookies.

Your visit to this website is currently being recorded by Matomo. Click on "Disable tracking" so that your visit is no longer collected.

In addition, the ‘Do not track’ function is activated in the Matomo installation of BIOEG. If your browser supports this function and you have activated the function in the browser settings, Matomo will not collect any data, even if you do not use the above-mentioned deactivation cookie.

VII. Individual services/log-in areas

1. description and scope of data processing

If you send an enquiry to BIOEG by e-mail, your data will be used exclusively for correspondence with you.  No data will be passed on to third parties in this context.

2 Legal basis for data processing

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the e-mail contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

The processing of the personal data from the e-mail contact serves us solely to process the contact. If you contact us via email, this also represents the necessary legitimate interest in processing the data.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For personal data sent by email, this is the case when the respective conversation with the user has ended. The conversation ends when it can be seen from the circumstances that the matter in question has been finally clarified.

5. Possibility of objection and removal

If the user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot continue. In this case, all personal data that was stored in the course of contacting you will be deleted.

VIII. Integration of third-party services and content

We use content or service offerings from third-party providers within our online offering.

This always assumes that the third party providers of this content are aware of the users' IP address, as without the IP address they would not be able to send the content to their browser. The IP address is therefore required to display this content. We strive to only use content whose respective providers only use the IP address to deliver the content. Third parties may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device. The purpose and scope of data collection by third-party providers as well as further processing and use there can be found in the respective data protection declarations of the providers.

The following third-party services or content are used:

Youtube

We integrate the videos from the “YouTube” platform of the provider Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.

Privacy Declaration: https://www.google.com/policies/privacy/

Opt-Out: https://adssettings.google.com/authenticated.

IX. Social networks

The social network's Internet platforms offer a federal agency excellent opportunities for communication, networking and proximity to citizens. BIÖG has therefore decided to establish its own presence on Facebook, Instagram, Twitter, Google+ and YouTube. We would be pleased if you would find out more about our work there and exchange ideas with us We would like to point out that social networks and platforms may also process user data outside the EU. To the extent that US providers are certified under the so-called Privacy Shield, they are committed to complying with EU data protection standards. However, there may be risks for users due to data processing outside the EU. In particular, legal enforcement can be more difficult.

Please note that user data may be processed in the context of the use of social networks and platforms for market research and advertising purposes. Usage profiles can be created from the behavior of users. Based on such user profiles, advertisements can be placed within the social networks or platform but also, if necessary, on third-party sites. For these purposes, cookies are often stored on users' computers to record user behavior and interests. BIÖG has no influence on data collection and its further use by social networks. The BIÖG has no knowledge of the extent, where and for how long the data is stored, the extent to which the networks comply with existing deletion obligations, what evaluations and links are made with the data and to whom the data is passed on.

The processing of personal data is based on Article 6 Paragraph 1 Sentence Letter e GDPR. Article 6 Paragraph 1 Sentence 1 Letter a GDPR may also be relevant as a basis for processing if a user has consented to data processing by a provider of a social network or platform.

The respective providers provide detailed information about data processing in social networks or platforms. This also regularly includes information about the possibility of objecting to certain data processing operations, so-called opt-outs. In the case of requests for information and the assertion of user rights, these are probably easiest to assert with the respective providers, as they have access to the users' data and can also take immediate measures in addition to providing information.

Please note the following information from the providers:

Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland:

Privacy Declaration: https://www.facebook.com/about/privacy/
Opt-Out: https://www.facebook.com/settings?tab=ads
PrivacyShield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active

YouTube, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA:

Privacy Declaration: https://policies.google.com/privacy
Opt-Out: https://adssettings.google.com/authenticated
Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA:

Privacy Declaration: https://twitter.com/de/privacy
Opt-Out: https://twitter.com/personalization
Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active

Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA:

Privacy Declaration: http://instagram.com/about/legal/privacy/
Opt-Out: http://instagram.com/about/legal/privacy/

BIÖG takes the discussion about data protection in social networks very seriously. We are following the debate and the examinations by the responsible authorities and are continually checking whether we can continue to operate our social media presences under the given data protection conditions.

In the meantime, we also ask you to carefully check what personal data you disclose as a user of social media. Please also regularly check the settings on social networks to protect your privacy.

BIÖG uses so-called social plugins on some websites (e.g. Like Button, Tweet Button or others) through which you can share content via social networks. BIÖG uses techniques to protect your privacy that prevent data from being transmitted to social network providers when you access our pages. Data transfer only takes place when you actively click on the respective plugin.

X. Rights of the data subject

We would be happy to inform you about your rights under the GDPR as a “data subject”. You then have the following rights with regard to your personal data:    

  • Right to information (Art. 15 Para. 1, 2 GDPR)   
  • Right to correction (Art. 16 GDPR) or deletion (Art. 17 GDPR)    
  • Right to restriction of processing (“blocking”, Art. 18 GDPR)    
  • Right to data portability (Art. 20 GDPR)    
  • Right to object to processing (Article 21 GDPR)    
  • Right of withdrawal (Art. 7 Para. 3 GDPR)    
  • Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

In addition, we summarize the key points of the rights of those affected under the GDPR as follows, although this presentation does not claim to be complete, but rather only addresses the basic principles of the rights of those affected under the GDPR:

1. Right to information

You can request confirmation from the person responsible as to whether personal data concerning you is being processed by us. If such processing occurs, you can request information from the person responsible about the following information:  

  1. the purposes for which the personal data are processed;  
  2. the categories of personal data that are processed;    
  3. the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;    
  4. the planned duration of storage of the personal data concerning you or, if specific information is not possible, criteria for determining the storage period;    
  5. the existence of a right to rectification or deletion of personal data concerning you, a right to restrict processing by the controller or a right to object to this processing;    
  6. the existence of a right to lodge a complaint with a supervisory authority;   
  7. all available information about the origin of the data if the personal data is not collected from the data subject;

2. Right to rectification

According to Art. 16 GDPR, you have the right to request correction and/or completion from the person responsible if the processed personal data that concerns you is incorrect or incomplete.

3. Right to deletion

Under the conditions of Art. 17 GDPR, you can request that the person responsible delete the personal data concerning you immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:    

  1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.   
  2. You revoke your consent on which the processing was based in accordance with Article 6 Paragraph 1 Letter a or Article 9 Paragraph 2 Letter a GDPR and there is no other legal basis for the processing.    
  3. You object to the processing in accordance with Art. 21 Para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing in accordance with Art. 21 Para. 2 GDPR.    
  4. Your personal data has been processed unlawfully.    
  5. The deletion of personal data concerning you is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.    
  6. The personal data concerning you was collected in relation to information society services offered in accordance with Article 8 Para. 1 GDPR.

4. Restriction of processing (“blocking”)

Under the conditions of Art. 18 GDPR, you can request the restriction of the processing of personal data concerning you:

If the processing of personal data concerning you has been restricted, these data - with the exception of their storage - may only be processed with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the person responsible before the restriction is lifted.

5. Right to data portability

According to Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. You also have the right to transmit this data to another person responsible without hindrance from the person responsible to whom the personal data was provided, provided that    

  • the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract in accordance with Article 6 (1) (b) GDPR and    
  • the processing takes place using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, to the extent that this is technically feasible. The freedoms and rights of other people must not be impaired by this.

The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. Right to object

Under the conditions of Art. 21 GDPR, you have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you, which is carried out on the basis of Art. 6 Para. 1 lit. e GDPR; This also applies to profiling based on these provisions.

The person responsible will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In connection with the use of information society services - regardless of Directive 2002/58/EC - you have the opportunity to exercise your right of objection using automated procedures in which technical specifications provide the right to revoke the declaration of consent under data protection law.

7. Right of withdrawal

You have the right to revoke your data protection declaration of consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out based on the consent before its revocation. 

8. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, your place of work or the place of the alleged violation, in accordance with Article 77 of the GDPR, if you believe that the processing of your personal data violates the GDPR.

The supervisory authority to which the complaint was submitted will inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.